| /*! |
| * proxy-addr |
| * Copyright(c) 2014-2016 Douglas Christopher Wilson |
| * MIT Licensed |
| */ |
| |
| 'use strict' |
| |
| /** |
| * Module exports. |
| * @public |
| */ |
| |
| module.exports = proxyaddr |
| module.exports.all = alladdrs |
| module.exports.compile = compile |
| |
| /** |
| * Module dependencies. |
| * @private |
| */ |
| |
| var forwarded = require('forwarded') |
| var ipaddr = require('ipaddr.js') |
| |
| /** |
| * Variables. |
| * @private |
| */ |
| |
| var DIGIT_REGEXP = /^[0-9]+$/ |
| var isip = ipaddr.isValid |
| var parseip = ipaddr.parse |
| |
| /** |
| * Pre-defined IP ranges. |
| * @private |
| */ |
| |
| var IP_RANGES = { |
| linklocal: ['169.254.0.0/16', 'fe80::/10'], |
| loopback: ['127.0.0.1/8', '::1/128'], |
| uniquelocal: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', 'fc00::/7'] |
| } |
| |
| /** |
| * Get all addresses in the request, optionally stopping |
| * at the first untrusted. |
| * |
| * @param {Object} request |
| * @param {Function|Array|String} [trust] |
| * @public |
| */ |
| |
| function alladdrs (req, trust) { |
| // get addresses |
| var addrs = forwarded(req) |
| |
| if (!trust) { |
| // Return all addresses |
| return addrs |
| } |
| |
| if (typeof trust !== 'function') { |
| trust = compile(trust) |
| } |
| |
| for (var i = 0; i < addrs.length - 1; i++) { |
| if (trust(addrs[i], i)) continue |
| |
| addrs.length = i + 1 |
| } |
| |
| return addrs |
| } |
| |
| /** |
| * Compile argument into trust function. |
| * |
| * @param {Array|String} val |
| * @private |
| */ |
| |
| function compile (val) { |
| if (!val) { |
| throw new TypeError('argument is required') |
| } |
| |
| var trust |
| |
| if (typeof val === 'string') { |
| trust = [val] |
| } else if (Array.isArray(val)) { |
| trust = val.slice() |
| } else { |
| throw new TypeError('unsupported trust argument') |
| } |
| |
| for (var i = 0; i < trust.length; i++) { |
| val = trust[i] |
| |
| if (!IP_RANGES.hasOwnProperty(val)) { |
| continue |
| } |
| |
| // Splice in pre-defined range |
| val = IP_RANGES[val] |
| trust.splice.apply(trust, [i, 1].concat(val)) |
| i += val.length - 1 |
| } |
| |
| return compileTrust(compileRangeSubnets(trust)) |
| } |
| |
| /** |
| * Compile `arr` elements into range subnets. |
| * |
| * @param {Array} arr |
| * @private |
| */ |
| |
| function compileRangeSubnets (arr) { |
| var rangeSubnets = new Array(arr.length) |
| |
| for (var i = 0; i < arr.length; i++) { |
| rangeSubnets[i] = parseipNotation(arr[i]) |
| } |
| |
| return rangeSubnets |
| } |
| |
| /** |
| * Compile range subnet array into trust function. |
| * |
| * @param {Array} rangeSubnets |
| * @private |
| */ |
| |
| function compileTrust (rangeSubnets) { |
| // Return optimized function based on length |
| var len = rangeSubnets.length |
| return len === 0 |
| ? trustNone |
| : len === 1 |
| ? trustSingle(rangeSubnets[0]) |
| : trustMulti(rangeSubnets) |
| } |
| |
| /** |
| * Parse IP notation string into range subnet. |
| * |
| * @param {String} note |
| * @private |
| */ |
| |
| function parseipNotation (note) { |
| var pos = note.lastIndexOf('/') |
| var str = pos !== -1 |
| ? note.substring(0, pos) |
| : note |
| |
| if (!isip(str)) { |
| throw new TypeError('invalid IP address: ' + str) |
| } |
| |
| var ip = parseip(str) |
| |
| if (pos === -1 && ip.kind() === 'ipv6' && ip.isIPv4MappedAddress()) { |
| // Store as IPv4 |
| ip = ip.toIPv4Address() |
| } |
| |
| var max = ip.kind() === 'ipv6' |
| ? 128 |
| : 32 |
| |
| var range = pos !== -1 |
| ? note.substring(pos + 1, note.length) |
| : null |
| |
| if (range === null) { |
| range = max |
| } else if (DIGIT_REGEXP.test(range)) { |
| range = parseInt(range, 10) |
| } else if (ip.kind() === 'ipv4' && isip(range)) { |
| range = parseNetmask(range) |
| } else { |
| range = null |
| } |
| |
| if (range <= 0 || range > max) { |
| throw new TypeError('invalid range on address: ' + note) |
| } |
| |
| return [ip, range] |
| } |
| |
| /** |
| * Parse netmask string into CIDR range. |
| * |
| * @param {String} netmask |
| * @private |
| */ |
| |
| function parseNetmask (netmask) { |
| var ip = parseip(netmask) |
| var kind = ip.kind() |
| |
| return kind === 'ipv4' |
| ? ip.prefixLengthFromSubnetMask() |
| : null |
| } |
| |
| /** |
| * Determine address of proxied request. |
| * |
| * @param {Object} request |
| * @param {Function|Array|String} trust |
| * @public |
| */ |
| |
| function proxyaddr (req, trust) { |
| if (!req) { |
| throw new TypeError('req argument is required') |
| } |
| |
| if (!trust) { |
| throw new TypeError('trust argument is required') |
| } |
| |
| var addrs = alladdrs(req, trust) |
| var addr = addrs[addrs.length - 1] |
| |
| return addr |
| } |
| |
| /** |
| * Static trust function to trust nothing. |
| * |
| * @private |
| */ |
| |
| function trustNone () { |
| return false |
| } |
| |
| /** |
| * Compile trust function for multiple subnets. |
| * |
| * @param {Array} subnets |
| * @private |
| */ |
| |
| function trustMulti (subnets) { |
| return function trust (addr) { |
| if (!isip(addr)) return false |
| |
| var ip = parseip(addr) |
| var ipconv |
| var kind = ip.kind() |
| |
| for (var i = 0; i < subnets.length; i++) { |
| var subnet = subnets[i] |
| var subnetip = subnet[0] |
| var subnetkind = subnetip.kind() |
| var subnetrange = subnet[1] |
| var trusted = ip |
| |
| if (kind !== subnetkind) { |
| if (subnetkind === 'ipv4' && !ip.isIPv4MappedAddress()) { |
| // Incompatible IP addresses |
| continue |
| } |
| |
| if (!ipconv) { |
| // Convert IP to match subnet IP kind |
| ipconv = subnetkind === 'ipv4' |
| ? ip.toIPv4Address() |
| : ip.toIPv4MappedAddress() |
| } |
| |
| trusted = ipconv |
| } |
| |
| if (trusted.match(subnetip, subnetrange)) { |
| return true |
| } |
| } |
| |
| return false |
| } |
| } |
| |
| /** |
| * Compile trust function for single subnet. |
| * |
| * @param {Object} subnet |
| * @private |
| */ |
| |
| function trustSingle (subnet) { |
| var subnetip = subnet[0] |
| var subnetkind = subnetip.kind() |
| var subnetisipv4 = subnetkind === 'ipv4' |
| var subnetrange = subnet[1] |
| |
| return function trust (addr) { |
| if (!isip(addr)) return false |
| |
| var ip = parseip(addr) |
| var kind = ip.kind() |
| |
| if (kind !== subnetkind) { |
| if (subnetisipv4 && !ip.isIPv4MappedAddress()) { |
| // Incompatible IP addresses |
| return false |
| } |
| |
| // Convert IP to match subnet IP kind |
| ip = subnetisipv4 |
| ? ip.toIPv4Address() |
| : ip.toIPv4MappedAddress() |
| } |
| |
| return ip.match(subnetip, subnetrange) |
| } |
| } |